--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-6885 / XSA-82
version 3
Guest triggerable AMD CPU erratum may cause host hang
UPDATES IN VERSION 3
====================
Early public release.
This issue was predisclosed under embargo by the Xen Project Security
team, on the 27th of November. We treated the issue as not publicly
known because it was not evident from the public sources that this
erratum constitutes a vulnerability (particularly, that it was a
vulnerability in relation to some Xen configurations).
Since then, the fact that this CPU erratum is likely to constitute a
security problem has been publicly disclosed, on the oss-security
mailing list.
Under the circumstances, and in accordance with the Xen Project
security vulnerability policy, it has been decided that it is no
longer appropriate to retain the embargo, as the key facts are now in
the open.
ISSUE DESCRIPTION
=================
AMD CPU erratum 793 "Specific Combination of Writes to Write Combined
Memory Types and Locked Instructions May Cause Core Hang" describes a
situation under which a CPU core may hang.
IMPACT
======
A malicious guest administrator can mount a denial of service attack
affecting the whole system.
VULNERABLE SYSTEMS
==================
The vulnerability is applicable only to family 16h model 00h-0fh AMD
CPUs.
Such CPUs running Xen versions 3.3 onwards are vulnerable. We have
not checked earlier versions of Xen.
HVM guests can always exploit the vulnerability if it is present.
PV guests can exploit the vulnerability only if they have been granted
access to physical device(s).
Non-AMD CPUs are not vulnerable.
CREDITS
=======
This issue's security impact was discovered by Jan Beulich.
MITIGATION
==========
This issue can be avoided by neither running HVM guests, nor assigning
PCI devices to PV guests.
RESOLUTION
==========
The attached patch contains a software workaround which resolves this
issue.
Alternatively, the recommended workaround can be implemented in
firmware, so a suitable firmware update will resolve the issue.
If you require a firmware update please consult your vendor.
xsa82.patch Xen 4.1.x, Xen 4.2.x, Xen 4.3.x, xen-unstable
$ sha256sum xsa82*.patch
0a58f3564ca91fd2668c202446c607fdb1ec8643e558a3921046d43675f58c08 xsa82.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSnL+JAAoJEIP+FMlX6CvZw6gIAKqUkevFcn14iRT7g6iiTjbw
Fq9oiu/RtSmPDS/8FkAW6vdhYTe5cA6wCxUbErp/oZ6IwtlAmbZUQ2oVrfw8Tep/
G1hpLDkGLeRD4sqPB3Yj/RS8MUWlZhX3H9FwJLzhDqFaGiVAOHe3zl/OgwMFEnUx
PYSxdgPeiU3gavpJcDd5JamID+wLkihXMOHFKtdziOZsEAuv2lhIBSCamOVc638m
vRMtE4LbcUCv80EvvMxtrUDkt+M+TS2JfQK+09mr5/hFkyicoeEawYLgeWUbuNhj
CWbcKdyat6GauvhL46NE/aWlbUqSXHc8jcIdCDM2pRK1NR86qJiMC5av5EcPjOo=
=V/Az
-----END PGP SIGNATURE-----
--=separator
Content-Type: application/octet-stream; name="xsa82.patch"
Content-Disposition: attachment; filename="xsa82.patch"
Content-Transfer-Encoding: base64
eDg2L0FNRDogd29yayBhcm91bmQgZXJyYXR1bSA3OTMKClRoZSByZWNvbW1l
bmRhdGlvbiBpcyB0byBzZXQgYSBiaXQgaW4gYW4gTVNSIC0gZG8gdGhpcyBp
ZiB0aGUgZmlybXdhcmUKZGlkbid0LCBjb25zaWRlcmluZyB0aGF0IG90aGVy
d2lzZSB3ZSBleHBvc2Ugb3Vyc2VsdmVzIHRvIGEgZ3Vlc3QKaW5kdWNlZCBE
b1MuCgpUaGlzIGlzIENWRS0yMDEzLTY4ODUgLyBYU0EtODIuCgpTaWduZWQt
b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFja2Vk
LWJ5OiBTdXJhdmVlIFN1dGhpa3VscGFuaXQgPHN1cmF2ZWUuc3V0aGlrdWxw
YW5pdEBhbWQuY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2NwdS9hbWQuYwor
KysgYi94ZW4vYXJjaC94ODYvY3B1L2FtZC5jCkBAIC00NzYsNiArNDc2LDIw
IEBAIHN0YXRpYyB2b2lkIF9fZGV2aW5pdCBpbml0X2FtZChzdHJ1Y3QgY3AK
IAkJICAgICAgICIqKiogUGFzcyBcImFsbG93X3Vuc2FmZVwiIGlmIHlvdSdy
ZSB0cnVzdGluZyIKIAkJICAgICAgICIgYWxsIHlvdXIgKFBWKSBndWVzdCBr
ZXJuZWxzLiAqKipcbiIpOwogCisJaWYgKGMtPng4NiA9PSAweDE2ICYmIGMt
Png4Nl9tb2RlbCA8PSAweGYpIHsKKwkJcmRtc3JsKE1TUl9BTUQ2NF9MU19D
RkcsIHZhbHVlKTsKKwkJaWYgKCEodmFsdWUgJiAoMSA8PCAxNSkpKSB7CisJ
CQlzdGF0aWMgYm9vbF90IHdhcm5lZDsKKworCQkJaWYgKGMgPT0gJmJvb3Rf
Y3B1X2RhdGEgfHwgb3B0X2NwdV9pbmZvIHx8CisJCQkgICAgIXRlc3RfYW5k
X3NldF9ib29sKHdhcm5lZCkpCisJCQkJcHJpbnRrKEtFUk5fV0FSTklORwor
CQkJCSAgICAgICAiQ1BVJXU6IEFwcGx5aW5nIHdvcmthcm91bmQgZm9yIGVy
cmF0dW0gNzkzXG4iLAorCQkJCSAgICAgICBzbXBfcHJvY2Vzc29yX2lkKCkp
OworCQkJd3Jtc3JsKE1TUl9BTUQ2NF9MU19DRkcsIHZhbHVlIHwgKDEgPDwg
MTUpKTsKKwkJfQorCX0KKwogCS8qIEFNRCBDUFVzIGRvIG5vdCBzdXBwb3J0
IFNZU0VOVEVSIG91dHNpZGUgb2YgbGVnYWN5IG1vZGUuICovCiAJY2xlYXJf
Yml0KFg4Nl9GRUFUVVJFX1NFUCwgYy0+eDg2X2NhcGFiaWxpdHkpOwogCi0t
LSBhL3hlbi9pbmNsdWRlL2FzbS14ODYvbXNyLWluZGV4LmgKKysrIGIveGVu
L2luY2x1ZGUvYXNtLXg4Ni9tc3ItaW5kZXguaApAQCAtMjEzLDYgKzIxMyw3
IEBACiAKIC8qIEFNRDY0IE1TUnMgKi8KICNkZWZpbmUgTVNSX0FNRDY0X05C
X0NGRwkJMHhjMDAxMDAxZgorI2RlZmluZSBNU1JfQU1ENjRfTFNfQ0ZHCQkw
eGMwMDExMDIwCiAjZGVmaW5lIE1TUl9BTUQ2NF9JQ19DRkcJCTB4YzAwMTEw
MjEKICNkZWZpbmUgTVNSX0FNRDY0X0RDX0NGRwkJMHhjMDAxMTAyMgogI2Rl
ZmluZSBBTUQ2NF9OQl9DRkdfQ0Y4X0VYVF9FTkFCTEVfQklUCTQ2Cg==
--=separator--